gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-05 20:40:16 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800)

Browse Source 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
This commit is contained in:
Matt Bauman
2025-12-05 05:15:16 -05:00
committed by GitHub
parent 9275e1532b
commit c2f82add3a
17 changed files with 69 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/guide/coverage/language/julia.md
View File

@@ -7,7 +7,7 @@ The following scanners are supported.
| Package manager | SBOM | Vulnerability | License | | Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:| |-----------------|:----:|:-------------:|:-------:|
| Pkg.jl | ✓ | - | - | | Pkg.jl | ✓ | | - |
The following table provides an outline of the features Trivy offers. The following table provides an outline of the features Trivy offers.

1
docs/guide/references/configuration/cli/trivy_filesystem.md
View File

@@ -171,6 +171,7 @@ trivy filesystem [flags] PATH
- chainguard - chainguard
- bitnami - bitnami
- govulndb - govulndb
- julia
- echo - echo
- minimos - minimos
- rootio - rootio

1
docs/guide/references/configuration/cli/trivy_image.md
View File

@@ -192,6 +192,7 @@ trivy image [flags] IMAGE_NAME
- chainguard - chainguard
- bitnami - bitnami
- govulndb - govulndb
- julia
- echo - echo
- minimos - minimos
- rootio - rootio

1
docs/guide/references/configuration/cli/trivy_kubernetes.md
View File

@@ -180,6 +180,7 @@ trivy kubernetes [flags] [CONTEXT]
- chainguard - chainguard
- bitnami - bitnami
- govulndb - govulndb
- julia
- echo - echo
- minimos - minimos
- rootio - rootio

1
docs/guide/references/configuration/cli/trivy_repository.md
View File

@@ -170,6 +170,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
- chainguard - chainguard
- bitnami - bitnami
- govulndb - govulndb
- julia
- echo - echo
- minimos - minimos
- rootio - rootio

1
docs/guide/references/configuration/cli/trivy_rootfs.md
View File

@@ -172,6 +172,7 @@ trivy rootfs [flags] ROOTDIR
- chainguard - chainguard
- bitnami - bitnami
- govulndb - govulndb
- julia
- echo - echo
- minimos - minimos
- rootio - rootio

1
docs/guide/references/configuration/cli/trivy_sbom.md
View File

@@ -137,6 +137,7 @@ trivy sbom [flags] SBOM_PATH
- chainguard - chainguard
- bitnami - bitnami
- govulndb - govulndb
- julia
- echo - echo
- minimos - minimos
- rootio - rootio

1
docs/guide/references/configuration/cli/trivy_vm.md
View File

@@ -156,6 +156,7 @@ trivy vm [flags] VM_IMAGE
- chainguard - chainguard
- bitnami - bitnami
- govulndb - govulndb
- julia
- echo - echo
- minimos - minimos
- rootio - rootio

4
docs/guide/scanner/vulnerability.md
View File

@@ -137,6 +137,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
| Dart | [GitHub Advisory Database (Pub)][pub-ghsa] | ✅ | - | | Dart | [GitHub Advisory Database (Pub)][pub-ghsa] | ✅ | - |
| Elixir | [GitHub Advisory Database (Erlang)][erlang-ghsa] | ✅ | - | | Elixir | [GitHub Advisory Database (Erlang)][erlang-ghsa] | ✅ | - |
| Swift | [GitHub Advisory Database (Swift)][swift-ghsa] | ✅ | - | | Swift | [GitHub Advisory Database (Swift)][swift-ghsa] | ✅ | - |
| Julia | [Open Source Vulnerabilities (Julia)][julia-osv] | ✅ | - |
[^1]: Intentional delay between vulnerability disclosure and registration in the DB [^1]: Intentional delay between vulnerability disclosure and registration in the DB
@@ -426,13 +427,14 @@ Example logic for the following vendor severity levels when scanning an Alpine i
[python-osv]: https://osv.dev/list?q=&ecosystem=PyPI [python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
[rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
[julia-osv]: https://osv.dev/list?q=&ecosystem=Julia
[nvd]: https://nvd.nist.gov/vuln [nvd]: https://nvd.nist.gov/vuln
[k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ [k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
[CVE-2023-32681]: https://nvd.nist.gov/vuln/detail/CVE-2023-32681 [CVE-2023-32681]: https://nvd.nist.gov/vuln/detail/CVE-2023-32681
[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520 [RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520
[ghsa]: https://github.com/advisories [ghsa]: https://github.com/advisories
[requests]: https://pypi.org/project/requests/ [requests]: https://pypi.org/project/requests/
[precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall [precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall

3
go.mod
View File

@@ -24,7 +24,7 @@ require (
github.com/aquasecurity/testdocker v0.0.0-20250616060700-ba6845ac6d17 github.com/aquasecurity/testdocker v0.0.0-20250616060700-ba6845ac6d17
github.com/aquasecurity/tml v0.6.1 github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169
github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.9.1 github.com/aquasecurity/trivy-kubernetes v0.9.1
github.com/aws/aws-sdk-go-v2 v1.40.0 github.com/aws/aws-sdk-go-v2 v1.40.0
@@ -475,7 +475,6 @@ require (
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
google.golang.org/grpc v1.76.0 // indirect google.golang.org/grpc v1.76.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect

6
go.sum
View File

@@ -222,8 +222,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w= github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w=
github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k= github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a h1:Wmvjq3zQGsZ8Wlqh75zvujh7LZNTXU4YoEf8tyL1LoM= github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727 h1:LawBOgOh1qrwcVTPPfZPwZkuRBIfl4IyCitnmdAjwe8=
github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a/go.mod h1:upAJqDQkN5FdIJbtJMpokncGNhYAPGkpoCbaGciWPt4= github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727/go.mod h1:KL/C38wFKTREFgKSShT3DEmjNYSNXoYQ96wtQXRbnM8=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.9.1 h1:bSErQcavKXDh7XMwbGX7Vy//jR5+xhe/bOgfn9G+9lQ= github.com/aquasecurity/trivy-kubernetes v0.9.1 h1:bSErQcavKXDh7XMwbGX7Vy//jR5+xhe/bOgfn9G+9lQ=
@@ -1520,8 +1520,6 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8
gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=

2
mkdocs.yml
View File

@@ -99,13 +99,13 @@ nav:
- Elixir: guide/coverage/language/elixir.md - Elixir: guide/coverage/language/elixir.md
- Go: guide/coverage/language/golang.md - Go: guide/coverage/language/golang.md
- Java: guide/coverage/language/java.md - Java: guide/coverage/language/java.md
- Julia: guide/coverage/language/julia.md
- Node.js: guide/coverage/language/nodejs.md - Node.js: guide/coverage/language/nodejs.md
- PHP: guide/coverage/language/php.md - PHP: guide/coverage/language/php.md
- Python: guide/coverage/language/python.md - Python: guide/coverage/language/python.md
- Ruby: guide/coverage/language/ruby.md - Ruby: guide/coverage/language/ruby.md
- Rust: guide/coverage/language/rust.md - Rust: guide/coverage/language/rust.md
- Swift: guide/coverage/language/swift.md - Swift: guide/coverage/language/swift.md
- Julia: guide/coverage/language/julia.md
- IaC: - IaC:
- Overview: guide/coverage/iac/index.md - Overview: guide/coverage/iac/index.md
- Ansible: guide/coverage/iac/ansible.md - Ansible: guide/coverage/iac/ansible.md

5
pkg/detector/library/driver.go
View File

@@ -83,8 +83,8 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
eco = ecosystem.Kubernetes eco = ecosystem.Kubernetes
comparer = compare.GenericComparer{} comparer = compare.GenericComparer{}
case ftypes.Julia: case ftypes.Julia:
log.Warn("Julia is supported for SBOM, not for vulnerability scanning") eco = ecosystem.Julia
return Driver{}, false comparer = compare.GenericComparer{}
default: default:
log.Warn("The library type is not supported for vulnerability scanning", log.Warn("The library type is not supported for vulnerability scanning",
log.String("type", string(libType))) log.String("type", string(libType)))
@@ -129,6 +129,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
vuln := types.DetectedVulnerability{ vuln := types.DetectedVulnerability{
VulnerabilityID: adv.VulnerabilityID, VulnerabilityID: adv.VulnerabilityID,
VendorIDs: adv.VendorIDs, // Any vendors have specific IDs, e.g. GHSA, JLSEC
PkgID: pkgID, PkgID: pkgID,
PkgName: pkgName, PkgName: pkgName,
InstalledVersion: pkgVer, InstalledVersion: pkgVer,

33
pkg/detector/library/driver_test.go
View File

@@ -66,7 +66,10 @@ func TestDriver_Detect(t *testing.T) {
}, },
want: []types.DetectedVulnerability{ want: []types.DetectedVulnerability{
{ {
VulnerabilityID: "CVE-2022-21235", VulnerabilityID: "CVE-2022-21235",
VendorIDs: []string{
"GHSA-6635-c626-vj4r",
},
PkgName: "github.com/Masterminds/vcs", PkgName: "github.com/Masterminds/vcs",
InstalledVersion: "v1.13.1", InstalledVersion: "v1.13.1",
FixedVersion: "v1.13.2", FixedVersion: "v1.13.2",
@@ -78,6 +81,34 @@ func TestDriver_Detect(t *testing.T) {
}, },
}, },
}, },
{
name: "julia package",
fixtures: []string{
"testdata/fixtures/julia.yaml",
"testdata/fixtures/data-source.yaml",
},
libType: ftypes.Julia,
args: args{
pkgName: "HTTP",
pkgVer: "1.10.16",
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2025-52479",
PkgName: "HTTP",
InstalledVersion: "1.10.16",
FixedVersion: "1.10.17",
DataSource: &dbTypes.DataSource{
ID: vulnerability.Julia,
Name: "Julia Ecosystem Security Advisories",
URL: "https://github.com/JuliaLang/SecurityAdvisories.jl",
},
VendorIDs: []string{
"JLSEC-2025-1",
},
},
},
},
{ {
name: "non-prefixed buckets", name: "non-prefixed buckets",
fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"}, fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"},

5
pkg/detector/library/testdata/fixtures/data-source.yaml vendored
View File

@@ -30,3 +30,8 @@
ID: "ghsa" ID: "ghsa"
Name: "GitHub Security Advisory Go" Name: "GitHub Security Advisory Go"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
- key: "julia::Julia Ecosystem Security Advisories"
value:
ID: "julia"
Name: "Julia Ecosystem Security Advisories"
URL: "https://github.com/JuliaLang/SecurityAdvisories.jl"

2
pkg/detector/library/testdata/fixtures/go.yaml vendored
View File

@@ -8,3 +8,5 @@
- v1.13.2 - v1.13.2
VulnerableVersions: VulnerableVersions:
- "<v1.13.2" - "<v1.13.2"
VendorIDs:
- "GHSA-6635-c626-vj4r"

12
pkg/detector/library/testdata/fixtures/julia.yaml vendored Normal file
View File

@@ -0,0 +1,12 @@
- bucket: "julia::Julia Ecosystem Security Advisories"
pairs:
- bucket: HTTP
pairs:
- key: CVE-2025-52479
value:
PatchedVersions:
- 1.10.17
VulnerableVersions:
- "<1.10.17"
VendorIDs:
- "JLSEC-2025-1"